Content deleted Content added
m →Details: change link redirect. Discrete logarithm problem |
→See also: added Twirl, a proposed device in 2003 that could factor 1024-bit moduli |
||
| (2 intermediate revisions by 2 users not shown) | |||
Line 1:
{{Short description|Security vulnerability in Diffie–Hellman key exchange}}
'''Logjam''' is a [[Vulnerability (computing)|security vulnerability]] in systems that use [[Diffie–Hellman key exchange]] with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015.<ref name="paper">{{cite web |url=https://weakdh.org |title=The Logjam Attack |website=weakdh.org |date=2015-05-20 |access-date=2015-05-20 |archive-date=2021-03-29 |archive-url=https://web.archive.org/web/20210329172612/https://weakdh.org/ |url-status=live }}</ref> The discoverers were able to demonstrate their attack on 512-bit ([[export of cryptography from the United States|US export-grade]]) DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.<ref>{{cite web |url=https://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/ |title=HTTPS-crippling attack threatens tens of thousands of Web and mail servers |author=Dan Goodin |website=[[Ars Technica]] |date=2015-05-20 |access-date=2022-04-30 |archive-date=2017-05-19 |archive-url=https://web.archive.org/web/20170519130937/https://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/ |url-status=live }}</ref><ref>{{cite news |url=
==Details==
Line 20:
The authors also estimated the feasibility of the attack against 1024-bit Diffie–Hellman primes. By design, many Diffie–Hellman implementations use the same pre-generated [[prime number|prime]] for their field. This was considered secure, since the [[discrete logarithm problem]] is still considered hard for big enough primes even if the group is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within range of the FY2012 $10.5 billion [[U.S. Consolidated Cryptologic Program]] (which includes [[NSA]]). Because of the reuse of primes, generating precomputation for just one prime would break two-thirds of [[VPN]]s and a quarter of all [[Secure Shell|SSH]] servers globally. The researchers noted that this attack fits claims in leaked NSA papers that NSA is able to break much current cryptography. They recommend using primes of 2048 bits or more as a defense or switching to [[elliptic-curve Diffie–Hellman]] (ECDH).<ref name="paper" />
Claims on the practical implications of the attack were however disputed by security researchers Eyal Ronen and [[Adi Shamir]] in their paper "Critical Review of Imperfect Forward Secrecy".<ref>{{Cite web | url=http://www.wisdom.weizmann.ac.il/~eyalro/RonenShamirDhReview.pdf | first1=Eyal | last1=Ronen | first2=Adi | last2=Shamir | title=Critical Review of Imperfect Forward Secrecy | date=October 2015 | journal= | access-date=2022-04-30 | archive-date=2021-12-11 | archive-url=https://web.archive.org/web/20211211100114/https://www.wisdom.weizmann.ac.il/~eyalro/RonenShamirDhReview.pdf | url-status=live }}</ref>
== Responses ==
Line 75 ⟶ 70:
* [[POODLE]]
* [[Server-Gated Cryptography]]
* [[TWIRL]]
== References ==
| |||